Analysis Report 5e8fYZ8TM6

Overview

General Information

Sample Name: 5e8fYZ8TM6 (renamed file extension from none to exe)
Analysis ID: 317608
MD5: e312419a2323bc0885320ffba12c61fb
SHA1: e41575401eb8f67515cd02f892b8a3718f50319d
SHA256: 4eea447c84313427eef7bad0462274e923632504daafc313f1528b7f46c5852d

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 5e8fYZ8TM6.exe Metadefender: Detection: 54% Perma Link
Source: 5e8fYZ8TM6.exe ReversingLabs: Detection: 66%
Source: 5e8fYZ8TM6.exe Metadefender: Detection: 54% Perma Link
Source: 5e8fYZ8TM6.exe ReversingLabs: Detection: 66%
Machine Learning detection for sample
Source: 5e8fYZ8TM6.exe Joe Sandbox ML: detected
Source: 5e8fYZ8TM6.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap, 2_2_02AF2290
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 2_2_02AF2650
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash, 2_2_02AF1FB0
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap, 2_2_02AF2290
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 2_2_02AF2650
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash, 2_2_02AF1FB0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_022A38F0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_022A38F0
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 2_2_02AF38F0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49727 -> 88.153.35.32:80
Source: Traffic Snort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.3:49733 -> 107.170.146.252:8080
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49739 -> 173.212.214.235:7080
Source: Traffic Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49727 -> 88.153.35.32:80
Source: Traffic Snort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.3:49733 -> 107.170.146.252:8080
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49739 -> 173.212.214.235:7080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49733 -> 107.170.146.252:8080
Source: global traffic TCP traffic: 192.168.2.3:49739 -> 173.212.214.235:7080
Source: global traffic TCP traffic: 192.168.2.3:49740 -> 167.114.153.111:8080
Source: global traffic TCP traffic: 192.168.2.3:49733 -> 107.170.146.252:8080
Source: global traffic TCP traffic: 192.168.2.3:49739 -> 173.212.214.235:7080
Source: global traffic TCP traffic: 192.168.2.3:49740 -> 167.114.153.111:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 107.170.146.252 107.170.146.252
Source: Joe Sandbox View IP Address: 107.170.146.252 107.170.146.252
Source: Joe Sandbox View IP Address: 107.170.146.252 107.170.146.252
Source: Joe Sandbox View IP Address: 107.170.146.252 107.170.146.252
Source: Joe Sandbox View IP Address: 167.114.153.111 167.114.153.111
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49727 -> 88.153.35.32:80
Source: global traffic TCP traffic: 192.168.2.3:49727 -> 88.153.35.32:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF29B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 2_2_02AF29B0
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF29B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 2_2_02AF29B0
Source: unknown HTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------------59GcGOAAM0KMMN79WmTgUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4612Cache-Control: no-cache
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.485148988.0000000003450000.00000004.00000001.sdmp String found in binary or memory: http://107.170.146.252:8080/FzxV1tcYAXWJ/49nleX/mnwI0BZz7GFzEpyb4FJ/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmp String found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmp String found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/7
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp String found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp String found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/7
Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.484568656.0000028B6F63D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.312388605.0000015EE0C4E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312405048.0000015EE0C64000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp String found in binary or memory: https://fs.microsoft.c
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312366257.0000015EE0C3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.485148988.0000000003450000.00000004.00000001.sdmp String found in binary or memory: http://107.170.146.252:8080/FzxV1tcYAXWJ/49nleX/mnwI0BZz7GFzEpyb4FJ/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmp String found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486301037.0000000003626000.00000004.00000001.sdmp String found in binary or memory: http://167.114.153.111:8080/Gjg6VQQfQODeFKh5/ipksxZysj4/Y3BzlSWrxu2eNy/7
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp String found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp String found in binary or memory: http://88.153.35.32/C2AWX/0IcMqQll94L/7
Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000003.00000002.484487790.0000028B6F612000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000003.00000002.484568656.0000028B6F63D000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.481945367.0000026800640000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.312388605.0000015EE0C4E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.312073422.0000015EE0C41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312395961.0000015EE0C5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312405048.0000015EE0C64000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.312047109.0000015EE0C5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.312039038.0000015EE0C5F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp String found in binary or memory: https://fs.microsoft.c
Source: svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.312371583.0000015EE0C3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.312069072.0000015EE0C45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.290284677.0000015EE0C31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000002.312366257.0000015EE0C3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.312330349.0000015EE0C13000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000002.00000002.484136450.0000000002AF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.253560512.0000000000549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.481950489.0000000000531000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.235061134.00000000022A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.235927547.00000000033E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.5e8fYZ8TM6.exe.22a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SystemPropertiesDataExecutionPrevention.exe.2af0000.2.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 2_2_02AF2650
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 2_2_02AF2650

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022901F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory, 0_2_022901F0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022901F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory, 0_2_022901F0
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AE01F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory, 2_2_02AE01F0
Creates files inside the system directory
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File created: C:\Windows\SysWOW64\unenrollhook\ Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File created: C:\Windows\SysWOW64\unenrollhook\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File deleted: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File deleted: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_00451D80 0_2_00451D80
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A8240 0_2_022A8240
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A3F20 0_2_022A3F20
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A7740 0_2_022A7740
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A3BA0 0_2_022A3BA0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A1C70 0_2_022A1C70
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A6530 0_2_022A6530
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A3D10 0_2_022A3D10
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_00451D80 0_2_00451D80
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A8240 0_2_022A8240
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A3F20 0_2_022A3F20
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A7740 0_2_022A7740
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A3BA0 0_2_022A3BA0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A1C70 0_2_022A1C70
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A6530 0_2_022A6530
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A3D10 0_2_022A3D10
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF8240 2_2_02AF8240
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF3BA0 2_2_02AF3BA0
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF3F20 2_2_02AF3F20
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF6530 2_2_02AF6530
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF3D10 2_2_02AF3D10
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF1C70 2_2_02AF1C70
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF7740 2_2_02AF7740
PE file contains strange resources
Source: 5e8fYZ8TM6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5e8fYZ8TM6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236353987.0000000003880000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234305664.0000000000470000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234876439.0000000002110000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe Binary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236353987.0000000003880000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234305664.0000000000470000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.236532586.0000000003980000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234876439.0000000002110000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs 5e8fYZ8TM6.exe
Source: 5e8fYZ8TM6.exe Binary or memory string: OriginalFilenameSEKPaint2.exe vs 5e8fYZ8TM6.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: 5e8fYZ8TM6.exe Binary or memory string: F*\AC:\sekpaint20\SEKPaint2.vbp
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234276941.000000000046C000.00000004.00020000.sdmp, SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.481834265.000000000046C000.00000004.00020000.sdmp Binary or memory string: @*\AC:\sekpaint20\SEKPaint2.vbp
Source: 5e8fYZ8TM6.exe Binary or memory string: F*\AC:\sekpaint20\SEKPaint2.vbp
Source: 5e8fYZ8TM6.exe, 00000000.00000002.234276941.000000000046C000.00000004.00020000.sdmp, SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.481834265.000000000046C000.00000004.00020000.sdmp Binary or memory string: @*\AC:\sekpaint20\SEKPaint2.vbp
Source: classification engine Classification label: mal80.troj.evad.winEXE@18/8@0/6
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_022A87D0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_022A87D0
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 2_2_02AF4CB0
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 2_2_02AF4CB0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_022A5070
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_022A5070
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5404:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5404:120:WilError_01
Source: 5e8fYZ8TM6.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5e8fYZ8TM6.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 5e8fYZ8TM6.exe Metadefender: Detection: 54%
Source: 5e8fYZ8TM6.exe ReversingLabs: Detection: 66%
Source: 5e8fYZ8TM6.exe Metadefender: Detection: 54%
Source: 5e8fYZ8TM6.exe ReversingLabs: Detection: 66%
Source: unknown Process created: C:\Users\user\Desktop\5e8fYZ8TM6.exe 'C:\Users\user\Desktop\5e8fYZ8TM6.exe'
Source: unknown Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown Process created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\5e8fYZ8TM6.exe 'C:\Users\user\Desktop\5e8fYZ8TM6.exe'
Source: unknown Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown Process created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process created: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: 5e8fYZ8TM6.exe Static PE information: real checksum: 0x8839b should be: 0x92711
Source: 5e8fYZ8TM6.exe Static PE information: real checksum: 0x8839b should be: 0x92711
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_0040C8B4 push es; retf 0_2_0040C8D3
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_0040C915 push ds; iretd 0_2_0040C91F
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_022A5E11
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_022A5EA1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_022A5EF1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_022A5F21
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_022A5CD1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_022A5D21
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_022A5D01
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5D50 push ecx; mov dword ptr [esp], 00006847h 0_2_022A5D51
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_022A5D91
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_022A5DF1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_022A5DC1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_0040C8B4 push es; retf 0_2_0040C8D3
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_0040C915 push ds; iretd 0_2_0040C91F
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_022A5E11
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_022A5EA1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_022A5EF1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_022A5F21
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_022A5CD1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_022A5D21
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_022A5D01
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5D50 push ecx; mov dword ptr [esp], 00006847h 0_2_022A5D51
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_022A5D91
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_022A5DF1
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A5DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_022A5DC1
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5EA0 push ecx; mov dword ptr [esp], 0000A3FDh 2_2_02AF5EA1
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5D90 push ecx; mov dword ptr [esp], 0000B2E0h 2_2_02AF5D91
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5DF0 push ecx; mov dword ptr [esp], 0000AAF5h 2_2_02AF5DF1
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5EF0 push ecx; mov dword ptr [esp], 0000669Ch 2_2_02AF5EF1
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5DC0 push ecx; mov dword ptr [esp], 000089FAh 2_2_02AF5DC1
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5CD0 push ecx; mov dword ptr [esp], 00001CE1h 2_2_02AF5CD1
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5D20 push ecx; mov dword ptr [esp], 0000C5A1h 2_2_02AF5D21
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5F20 push ecx; mov dword ptr [esp], 0000E36Ch 2_2_02AF5F21
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5D00 push ecx; mov dword ptr [esp], 00001F9Eh 2_2_02AF5D01
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5E10 push ecx; mov dword ptr [esp], 0000F5B3h 2_2_02AF5E11
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5D50 push ecx; mov dword ptr [esp], 00006847h 2_2_02AF5D51
Source: initial sample Static PE information: section name: .text entropy: 6.95854234229
Source: initial sample Static PE information: section name: .text entropy: 6.95854234229

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Executable created and started: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Executable created and started: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe PE file moved: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe PE file moved: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File opened: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File opened: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\splwow64.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\splwow64.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_022A5070
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_022A5070
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\splwow64.exe Window / User API: threadDelayed 1077 Jump to behavior
Source: C:\Windows\splwow64.exe Window / User API: threadDelayed 1077 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1156 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1156 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_022A38F0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_022A38F0
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 2_2_02AF38F0
Source: svchost.exe, 00000003.00000002.484675123.0000028B6F660000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.482245435.0000028B6A029000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW ofo
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.484638353.0000028B6F653000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.482240713.000001E91B602000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486279195.0000000003616000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWHfa
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.482320514.000001E91B640000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.481981398.0000026800668000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482362022.0000029E4AE29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000003.00000002.484675123.0000028B6F660000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000003.00000002.482245435.0000028B6A029000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW ofo
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000003.341262791.0000000003627000.00000004.00000001.sdmp, svchost.exe, 00000003.00000002.484638353.0000028B6F653000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.482240713.000001E91B602000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.486279195.0000000003616000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWHfa
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.482320514.000001E91B640000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.481981398.0000026800668000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.482362022.0000029E4AE29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.280073858.0000022EC5E60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.293855513.0000025973A60000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.483871525.0000026801340000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A4E20 mov eax, dword ptr fs:[00000030h] 0_2_022A4E20
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A3F20 mov eax, dword ptr fs:[00000030h] 0_2_022A3F20
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A4E20 mov eax, dword ptr fs:[00000030h] 0_2_022A4E20
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A3F20 mov eax, dword ptr fs:[00000030h] 0_2_022A3F20
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF3F20 mov eax, dword ptr fs:[00000030h] 2_2_02AF3F20
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF4E20 mov eax, dword ptr fs:[00000030h] 2_2_02AF4E20
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A36B0 _snwprintf,GetProcessHeap,DeleteFileW,DeleteFileW, 0_2_022A36B0
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A36B0 _snwprintf,GetProcessHeap,DeleteFileW,DeleteFileW, 0_2_022A36B0
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: SystemPropertiesDataExecutionPrevention.exe, 00000002.00000002.482882260.0000000000E10000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.482613678.000002DF09C60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A8240 CreateFileW,CreateFileW,GetModuleFileNameW,GetSystemTimeAsFileTime,CloseHandle, 0_2_022A8240
Source: C:\Users\user\Desktop\5e8fYZ8TM6.exe Code function: 0_2_022A8240 CreateFileW,CreateFileW,GetModuleFileNameW,GetSystemTimeAsFileTime,CloseHandle, 0_2_022A8240
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 2_2_02AF5360
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Code function: 2_2_02AF5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 2_2_02AF5360
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\unenrollhook\SystemPropertiesDataExecutionPrevention.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000D.00000002.482277099.000001FFF0D02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000D.00000002.482277099.000001FFF0D02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000002.00000002.484136450.0000000002AF1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.253560512.0000000000549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.481950489.0000000000531000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.235061134.00000000022A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.235927547.00000000033E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.5e8fYZ8TM6.exe.22a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SystemPropertiesDataExecutionPrevention.exe.2af0000.2.unpack, type: UNPACKEDPE